CN112202727A - Server-side verification user management method, system, terminal and storage medium - Google Patents
Server-side verification user management method, system, terminal and storage medium Download PDFInfo
- Publication number
- CN112202727A CN112202727A CN202010954417.7A CN202010954417A CN112202727A CN 112202727 A CN112202727 A CN 112202727A CN 202010954417 A CN202010954417 A CN 202010954417A CN 112202727 A CN112202727 A CN 112202727A
- Authority
- CN
- China
- Prior art keywords
- service process
- client
- main service
- auxiliary
- main
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012795 verification Methods 0.000 title claims abstract description 64
- 238000007726 management method Methods 0.000 title claims description 16
- 238000000034 method Methods 0.000 claims abstract description 222
- 230000008569 process Effects 0.000 claims abstract description 190
- 238000004891 communication Methods 0.000 claims abstract description 29
- 238000012544 monitoring process Methods 0.000 claims abstract description 29
- 230000002159 abnormal effect Effects 0.000 claims abstract description 18
- 230000006870 function Effects 0.000 claims description 13
- 230000002457 bidirectional effect Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000012550 audit Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 239000002245 particle Substances 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/143—Termination or inactivation of sessions, e.g. event-controlled end of session
- H04L67/145—Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Hardware Redundancy (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method, a system, a terminal and a storage medium for verifying and managing a server user, which comprise the following steps: loading a security policy set in a database to a memory, and creating a main service process and an auxiliary service process, wherein the main service process and the auxiliary service process are both mounted on the memory; if the auxiliary service process confirms that the state of the main service process is abnormal, the main service process is terminated and the auxiliary service process is switched to a new main service process; verifying user login information sent by a client by using a current main service process, establishing communication connection with the client passing the verification, and monitoring the communication quality with the client; and calling the security policy set by using the current main service process to verify the security verification information sent by the client, and providing a service item corresponding to the security verification for the verified client. The invention improves the management safety of the service end user, avoids single point failure of the bastion machine and improves the stability.
Description
Technical Field
The invention relates to the technical field of user management, in particular to a method, a system, a terminal and a storage medium for managing a server verification user.
Background
With the rapid development and application of technologies such as big data and cloud computing, the scale of a data center is multiplied, and the safe access of a host gradually becomes a normal concern. The outstanding contradiction of the safe access of the current host computer is that the user authority division granularity is coarse, account numbers are shared, and the operation is not easy to track; in addition, new CVE vulnerabilities which are continuously emerged by open source software and cannot be repaired in time bring greater risks to the safe access of the host.
Aiming at the problems, the fort machine (plate jump machine) mode is adopted to solve the problems. The fort has powerful functions, generally covers functions of account management, authorization control, security audit and the like, but occupies more resources and has higher cost, potential security threats and security holes exist, and problems of single point failure, fortaking of the fort (other internal transverse movement) and the like exist.
Disclosure of Invention
In view of the above-mentioned deficiencies of the prior art, the present invention provides a method, a system, a terminal and a storage medium for managing a server-side authenticated user, so as to solve the above-mentioned technical problems.
In a first aspect, the present invention provides a method for managing a server-side authenticated user, including:
loading a security policy set in a database to a memory, and creating a main service process and an auxiliary service process, wherein the main service process and the auxiliary service process are both mounted on the memory;
if the auxiliary service process confirms that the state of the main service process is abnormal, the main service process is terminated and the auxiliary service process is switched to a new main service process;
verifying user login information sent by a client by using a current main service process, establishing communication connection with the client passing the verification, and monitoring the communication quality with the client;
and calling the security policy set by using the current main service process to verify the security verification information sent by the client, and providing a service item corresponding to the security verification for the verified client.
Further, the method for terminating the main service process and switching the auxiliary service process to a new main service process when the auxiliary service process confirms that the state of the main service process is abnormal includes:
starting the bidirectional heartbeat monitoring between the main service process and the auxiliary service process, and setting an absolute time;
if the auxiliary service process does not receive the heartbeat of the main service process within the deadline time, confirming that the state of the main service process is abnormal;
terminating the main service process, and starting the auxiliary service process to be switched into a main service process of a main coroutine process which is responsible for monitoring a client request;
a new secondary service process is created using the forking function.
Further, the verifying the user login information by using the main service process and establishing a communication connection with the client passing the verification includes:
receiving user login information sent by a client;
judging whether user information matched with the user login information exists in a user database:
and if so, judging that the user login information passes the verification and establishes communication connection with the client, and storing the user login information into a log set corresponding to the client of the distributed database.
Further, the monitoring the communication quality with the client includes:
the main service process receives heartbeat information periodically sent by a client;
if the main service process does not receive the heartbeat information of the client within a preset time limit, judging that the state of the client is abnormal;
and the main service process terminates the process of the client and disconnects the communication connection with the client.
Further, the invoking, by the current master service process, the security policy set to verify the security verification information sent by the client and provide the service item corresponding to the security verification to the verified client includes:
the main service process receives security verification information sent by a client, and the security verification information is filtered by a special symbol of the client;
the main service process judges whether the client belongs to a white list in the security policy set according to the security verification information:
and if so, executing the request sent by the client, returning an execution result to the client, and simultaneously saving request execution information to a log set corresponding to the client of the distributed database.
Further, the method further comprises:
receiving a security policy configuration file sent by a client with a security configuration authority;
performing security verification on the security policy configuration file, and importing the security policy configuration file passing the security verification into a memory;
and synchronously updating the security policy configuration file imported into the memory to a database.
In a second aspect, the present invention provides a server-side authenticated user management system, including:
the service creation unit is configured to load a security policy set in a database into a memory, and create a main service process and an auxiliary service process, wherein the main service process and the auxiliary service process are both mounted on the memory;
the redundancy monitoring unit is configured to be used for terminating the main service process and switching the auxiliary service process into a new main service process when the auxiliary service process confirms that the state of the main service process is abnormal;
the login checking unit is configured to check user login information sent by the client by using the current main service process, establish communication connection with the client passing the check, and monitor the communication quality with the client;
and the security verification unit is configured to utilize the current main service process to call the security policy set to verify the security verification information sent by the client, and provide a service item corresponding to the security verification for the verified client.
Further, the redundancy monitoring unit includes:
the monitoring starting module is configured to start bidirectional heartbeat monitoring between the main service process and the auxiliary service process and set an absolute time;
an exception determining module configured to determine that the state of the main service process is abnormal if the auxiliary service process does not receive the heartbeat of the main service process within the deadline;
the service switching module is configured to terminate the main service process and start the auxiliary service process to be switched into a main service process of a main coroutine which is responsible for monitoring a client request;
and the process rebuilding module is configured for creating a new auxiliary service process by utilizing the bifurcation function.
In a third aspect, a terminal is provided, including:
a processor, a memory, wherein,
the memory is used for storing a computer program which,
the processor is used for calling and running the computer program from the memory so as to make the terminal execute the method of the terminal.
In a fourth aspect, a computer storage medium is provided having stored therein instructions that, when executed on a computer, cause the computer to perform the method of the above aspects.
The beneficial effect of the invention is that,
according to the server-side verification user management method, the server-side verification user management system, the server-side verification user management terminal and the storage medium, the server-side stability is improved by creating the redundant double service processes, the login information of the user and the safety verification process of the user are separated by the service processes, compared with the existing verification method that the safety verification is carried out when the user logs in, the server-side verification user management method can separately execute the login process and the safety verification process of the user, the logged-in user sends a corresponding safety verification request before executing a request for a certain service, the service is provided after verification, and fine management of user permission is achieved. According to the invention, on the premise of not changing the operation habit of the user, the authority particles are refined to the host, the user, the instruction parameter and the access time period, so that the safety is improved, the single-point fault of the bastion machine is avoided, and the stability is improved.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention.
FIG. 2 is a schematic flow diagram of user login for a method of one embodiment of the present invention.
FIG. 3 is a schematic flow chart diagram of client command execution of the method of one embodiment of the present invention.
FIG. 4 is a schematic block diagram of a system of one embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following explains key terms appearing in the present invention.
The Bastion Host of the Bastion machine comprises the functions of Host management, authority control, operation and maintenance audit, safety compliance and the like
Heartbeat mechanism Heartbeat regularly sends a self-defined structure (Heartbeat packet) to let the opposite side know that the opposite side still lives so as to ensure the effectiveness of connection
BSON is a JSON-like Binary storage format, called Binary JSON for short
The blacklist mode refers to a list in which operation is not allowed in the rule
The white list mode refers to the list in which the rule is set to allow operation
A goroutine go coroutine is a function or method that runs concurrently with other functions or methods, viewed as a lightweight thread
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention. The execution subject in fig. 1 may be a service-side authenticated user management system.
As shown in fig. 1, the method includes:
and 140, calling the security policy set by using the current main service process to verify the security verification information sent by the client, and providing a service item corresponding to the security verification for the verified client.
Specifically, the server-side authenticated user management method includes:
s1, loading the security policy set in the database to a memory, and creating a main service process and an auxiliary service process, wherein the main service process and the auxiliary service process are both mounted on the memory; and if the auxiliary service process confirms that the state of the main service process is abnormal, terminating the main service process and switching the auxiliary service process into a new main service process.
When the server side is initialized, a security policy set in a database is loaded to a memory, a main service process is established first, then fork (forking function) generates an auxiliary service process, and the main service and the auxiliary service run independently.
A bi-directional heartbeat is initiated. And starting a heartbeat sending and heartbeat detecting coroutine between the main service process and the auxiliary service process, sending heartbeats to the opposite side at regular time so as to be monitored by a bidirectional heartbeat mechanism, starting the main coroutine for monitoring the request of the client by the main service, and providing service for the client in an i/o multiplexing mode.
Dual service monitoring. When the auxiliary service process does not detect the heartbeat of the main service process within the limited time, kill main service process starts the main routine program for monitoring the client request, so that the main service process becomes the main service process to provide service for the outside, and at the same time, fork generates the auxiliary service process again so as to continue to monitor each other.
And when the main service process does not detect the heartbeat of the auxiliary service process, restarting the auxiliary service process so as to continue to monitor each other.
The configuration method of the security policy set comprises the following steps: only the root user has the right to carry out security policy configuration, and the security policy configuration comprises the addition, deletion, modification and check of groups, users, commands and parameters. The black and white business form supports the addition and deletion of a single command and also supports the import of files, and the file format organizes data according to the format of the policy collection document. And after the client sends the security policy command to the main service, the main service performs security verification, updates the memory security policy after the main service passes the security verification, and communicates with the MongoDB to persist the corresponding policy into a security policy set. And simultaneously recording logs.
S2, checking the user login information sent by the client by using the current main service process, establishing communication connection with the checked client, and monitoring the communication quality with the client.
As shown in fig. 2, the specific process is as follows:
step1 the client initiates a login request to the service
When a user logs in a host computer through the ssh/telnet/local mode, the system automatically starts a client, acquires key information such as a user name, a login mode, a login ip and the like, and then initiates a login request through a login module.
When the first transmission fails, the sleep 1s retransmits; if the retransmission fails, judging whether the current user is a root user, if so, normally logging in; otherwise, printing error information and failing to log in.
And sending the response successfully to wait for the server side.
Step2: server login processing
After receiving the login request, the main service logs in and audits through the login processing module, and mainly audits the name of the user, the login ip and the time period, if the conditions are met, the login is allowed, otherwise, the login is not allowed.
And pushing the result to the client after the auditing is finished, and recording the user login information into a log set of the MongDB database through a log module.
Step 3: after receiving the reply, the client analyzes the reply, if the login is forbidden, the failure information is printed and the login is quitted; if the terminal interface is allowed, normally logging in and displaying the pseudo terminal interface; meanwhile, a heartbeat routine is started to send heartbeats regularly, and each time the heartbeat data is received by the main service, a timeout period is prolonged. If no heartbeat data is received, the connection is closed and the kill client process is started after 5 seconds.
S3, the security policy set is called by the current main service process to verify the security verification information sent by the client, and the verified client is provided with the service item corresponding to the security verification.
As shown in fig. 3, the specific process is as follows:
step1 Special characters in client Filter Command
The client reads the command input by the user through the pseudo terminal interface, and checks whether the command contains special characters through the command processing module, if so, the prompt command does not meet the safety requirement, and the operation is finished; otherwise, preparing to initiate a security verification application.
Step2 Command Security verification application
And after the filtering verification is passed, a command security verification application is initiated to the main service. When the first transmission fails, waiting for 1s of retransmission application, and waiting for main service response after the retransmission is successful; failure of retransmission prompts the need for manual intervention by the contact administrator. And the sending is successful, and the main service response is waited.
Step 3: command security verification
The command processing module is mainly responsible for command segmentation and authority verification and supports the regular expression to verify command parameters.
After receiving the security verification application, the main service performs command segmentation and authority verification through the command processing module. If the white list strategy, the command and the parameter are successfully matched, returning to allow, otherwise, returning to forbid; the blacklist policy is the opposite. And after the verification is finished, pushing the result to the client, and simultaneously recording the operation information to a log set of the MongDB database through a log module.
Step 4: command processing
And after receiving the reply, the client analyzes the security verification result through the command processing module. If the result is allowed, normally executing and displaying the execution result on a pseudo terminal interface; if the execution is forbidden, the prompt message for forbidding the execution is printed, and the execution is finished.
Under abnormal conditions, if the client does not receive the response, manual intervention of the root user is needed.
As shown in fig. 4, the system 400 includes:
a service creation unit 410 configured to load a security policy set in a database into a memory, and create a main service process and an auxiliary service process, where the main service process and the auxiliary service process are both mounted on the memory;
a redundancy monitoring unit 420 configured to terminate the main service process and switch the auxiliary service process to a new main service process if the auxiliary service process determines that the state of the main service process is abnormal;
a login checking unit 430 configured to check user login information sent by a client by using a current main service process, establish communication connection with the client passing the check, and monitor communication quality with the client;
and the security verification unit 440 is configured to invoke the security policy set by using the current master service process to verify the security verification information sent by the client, and provide a service item corresponding to the security verification to the verified client.
Optionally, as an embodiment of the present invention, the redundancy monitoring unit includes:
the monitoring starting module is configured to start bidirectional heartbeat monitoring between the main service process and the auxiliary service process and set an absolute time;
an exception determining module configured to determine that the state of the main service process is abnormal if the auxiliary service process does not receive the heartbeat of the main service process within the deadline;
the service switching module is configured to terminate the main service process and start the auxiliary service process to be switched into a main service process of a main coroutine which is responsible for monitoring a client request;
and the process rebuilding module is configured for creating a new auxiliary service process by utilizing the bifurcation function.
Fig. 5 is a schematic structural diagram of a terminal 500 according to an embodiment of the present invention, where the terminal 500 may be used to execute a method for verifying a user by a server according to the embodiment of the present invention.
Among them, the terminal 500 may include: a processor 510, a memory 520, and a communication unit 530. The components communicate via one or more buses, and those skilled in the art will appreciate that the architecture of the servers shown in the figures is not intended to be limiting, and may be a bus architecture, a star architecture, a combination of more or less components than those shown, or a different arrangement of components.
The memory 520 may be used for storing instructions executed by the processor 510, and the memory 520 may be implemented by any type of volatile or non-volatile storage terminal or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk. The executable instructions in memory 520, when executed by processor 510, enable terminal 500 to perform some or all of the steps in the method embodiments described below.
The processor 510 is a control center of the storage terminal, connects various parts of the entire electronic terminal using various interfaces and lines, and performs various functions of the electronic terminal and/or processes data by operating or executing software programs and/or modules stored in the memory 520 and calling data stored in the memory. The processor may be composed of an Integrated Circuit (IC), for example, a single packaged IC, or a plurality of packaged ICs connected with the same or different functions. For example, processor 510 may include only a Central Processing Unit (CPU). In the embodiment of the present invention, the CPU may be a single operation core, or may include multiple operation cores.
A communication unit 530 for establishing a communication channel so that the storage terminal can communicate with other terminals. And receiving user data sent by other terminals or sending the user data to other terminals.
The present invention also provides a computer storage medium, wherein the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Therefore, the invention improves the stability of the server by creating the redundant double service processes, and realizes the fine management of the user authority by separating the two verification processes of the login information and the safety verification of the user by the service processes. According to the invention, on the premise of not changing the operation habit of the user, the permission particles are refined to the host, the user, the instruction parameter and the access time period, so that the safety is improved, meanwhile, the single-point fault of the bastion machine is avoided, and the stability is improved.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, where the computer software product is stored in a storage medium, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like, and the storage medium can store program codes, and includes instructions for enabling a computer terminal (which may be a personal computer, a server, or a second terminal, a network terminal, and the like) to perform all or part of the steps of the method in the embodiments of the present invention.
The same and similar parts in the various embodiments in this specification may be referred to each other. Especially, for the terminal embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant points can be referred to the description in the method embodiment.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Although the present invention has been described in detail by referring to the drawings in connection with the preferred embodiments, the present invention is not limited thereto. Various equivalent modifications or substitutions can be made on the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and these modifications or substitutions are within the scope of the present invention/any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A server side authentication user management method is characterized by comprising the following steps:
loading a security policy set in a database to a memory, and creating a main service process and an auxiliary service process, wherein the main service process and the auxiliary service process are both mounted on the memory;
if the auxiliary service process confirms that the state of the main service process is abnormal, the main service process is terminated and the auxiliary service process is switched to a new main service process;
verifying user login information sent by a client by using a current main service process, establishing communication connection with the client passing the verification, and monitoring the communication quality with the client;
and calling the security policy set by using the current main service process to verify the security verification information sent by the client, and providing a service item corresponding to the security verification for the verified client.
2. The method of claim 1, wherein the method for the auxiliary service process to terminate the main service process and switch the auxiliary service process to a new main service process when the auxiliary service process confirms the abnormal state of the main service process comprises:
starting the bidirectional heartbeat monitoring between the main service process and the auxiliary service process, and setting an absolute time;
if the auxiliary service process does not receive the heartbeat of the main service process within the deadline time, confirming that the state of the main service process is abnormal;
terminating the main service process, and starting the auxiliary service process to be switched into a main service process of a main coroutine process which is responsible for monitoring a client request;
a new secondary service process is created using the forking function.
3. The method of claim 1, wherein the verifying the user login information and establishing the communication connection with the verified client by using the host service process comprises:
receiving user login information sent by a client;
judging whether user information matched with the user login information exists in a user database:
and if so, judging that the user login information passes the verification and establishes communication connection with the client, and storing the user login information into a log set corresponding to the client of the distributed database.
4. The method of claim 1, wherein the monitoring the quality of communication with the client comprises:
the main service process receives heartbeat information periodically sent by a client;
if the main service process does not receive the heartbeat information of the client within a preset time limit, judging that the state of the client is abnormal;
and the main service process terminates the process of the client and disconnects the communication connection with the client.
5. The method of claim 1, wherein the invoking of the security policy set by the current master service process to verify the security authentication information sent by the client and provide the service item corresponding to the security authentication to the authenticated client comprises:
the main service process receives security verification information sent by a client, and the security verification information is filtered by a special symbol of the client;
the main service process judges whether the client belongs to a white list in the security policy set according to the security verification information:
and if so, executing the request sent by the client, returning an execution result to the client, and simultaneously saving request execution information to a log set corresponding to the client of the distributed database.
6. The method of claim 1, further comprising:
receiving a security policy configuration file sent by a client with a security configuration authority;
performing security verification on the security policy configuration file, and importing the security policy configuration file passing the security verification into a memory;
and synchronously updating the security policy configuration file imported into the memory to a database.
7. A server-side authenticated user management system, comprising:
the service creation unit is configured to load a security policy set in a database into a memory, and create a main service process and an auxiliary service process, wherein the main service process and the auxiliary service process are both mounted on the memory;
the redundancy monitoring unit is configured to be used for terminating the main service process and switching the auxiliary service process into a new main service process when the auxiliary service process confirms that the state of the main service process is abnormal;
the login checking unit is configured to check user login information sent by the client by using the current main service process, establish communication connection with the client passing the check, and monitor the communication quality with the client;
and the security verification unit is configured to utilize the current main service process to call the security policy set to verify the security verification information sent by the client, and provide a service item corresponding to the security verification for the verified client.
8. The system of claim 7, wherein the redundancy monitoring unit comprises:
the monitoring starting module is configured to start bidirectional heartbeat monitoring between the main service process and the auxiliary service process and set an absolute time;
an exception determining module configured to determine that the state of the main service process is abnormal if the auxiliary service process does not receive the heartbeat of the main service process within the deadline;
the service switching module is configured to terminate the main service process and start the auxiliary service process to be switched into a main service process of a main coroutine which is responsible for monitoring a client request;
and the process rebuilding module is configured for creating a new auxiliary service process by utilizing the bifurcation function.
9. A terminal, comprising:
a processor;
a memory for storing instructions for execution by the processor;
wherein the processor is configured to perform the method of any one of claims 1-6.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010954417.7A CN112202727B (en) | 2020-09-11 | 2020-09-11 | Server-side verification user management method, system, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010954417.7A CN112202727B (en) | 2020-09-11 | 2020-09-11 | Server-side verification user management method, system, terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112202727A true CN112202727A (en) | 2021-01-08 |
| CN112202727B CN112202727B (en) | 2023-01-10 |
Family
ID=74014771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010954417.7A Active CN112202727B (en) | 2020-09-11 | 2020-09-11 | Server-side verification user management method, system, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112202727B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113395287A (en) * | 2021-06-22 | 2021-09-14 | 杭州默安科技有限公司 | Method and system for recording network attack IP and command execution echo |
| CN113849349A (en) * | 2021-09-29 | 2021-12-28 | 中国船舶重工集团公司第七0七研究所 | Method for realizing dual-computer redundancy for multiple users |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753954A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Method for using fortress machine to guarantee network security |
| CN105429972A (en) * | 2015-11-10 | 2016-03-23 | 华为技术有限公司 | Resource access control method and equipment |
| US20190005252A1 (en) * | 2016-01-29 | 2019-01-03 | Nod Bizware Co., Ltd. | Device for self-defense security based on system environment and user behavior analysis, and operating method therefor |
| CN111541665A (en) * | 2020-04-16 | 2020-08-14 | 苏州浪潮智能科技有限公司 | Data access method, device, storage medium and cluster type security management platform |
-
2020
- 2020-09-11 CN CN202010954417.7A patent/CN112202727B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753954A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Method for using fortress machine to guarantee network security |
| CN105429972A (en) * | 2015-11-10 | 2016-03-23 | 华为技术有限公司 | Resource access control method and equipment |
| US20190005252A1 (en) * | 2016-01-29 | 2019-01-03 | Nod Bizware Co., Ltd. | Device for self-defense security based on system environment and user behavior analysis, and operating method therefor |
| CN111541665A (en) * | 2020-04-16 | 2020-08-14 | 苏州浪潮智能科技有限公司 | Data access method, device, storage medium and cluster type security management platform |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113395287A (en) * | 2021-06-22 | 2021-09-14 | 杭州默安科技有限公司 | Method and system for recording network attack IP and command execution echo |
| CN113849349A (en) * | 2021-09-29 | 2021-12-28 | 中国船舶重工集团公司第七0七研究所 | Method for realizing dual-computer redundancy for multiple users |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112202727B (en) | 2023-01-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110493352A (en) | A kind of unified gateway service system and its method of servicing based on WEB middleware | |
| CN110764871B (en) | Cloud platform-based mimicry application packaging and control system and method | |
| CN112202727B (en) | Server-side verification user management method, system, terminal and storage medium | |
| CN105511805A (en) | Data processing method and device for cluster file system | |
| CN111490981B (en) | Access management method and device, bastion machine and readable storage medium | |
| US8869234B2 (en) | System and method for policy based privileged user access management | |
| CN106911648B (en) | Environment isolation method and equipment | |
| WO2014086149A1 (en) | Server account number and password management method and system, and server | |
| CN111885080B (en) | Login service architecture, server and client | |
| WO2024021703A1 (en) | Server control method, server, and storage medium | |
| CN110874231A (en) | Method, device and storage medium for updating terminal version | |
| CN112448956A (en) | Authority processing method and device of short message verification code and computer equipment | |
| CN110990124A (en) | Cloud host recovery method and device | |
| CN108600156A (en) | A kind of server and safety certifying method | |
| CN111581616A (en) | Multi-terminal login control method and device | |
| CN113922975A (en) | Security control method, server, terminal, system and storage medium | |
| US20120174206A1 (en) | Secure computing environment | |
| CN116340902A (en) | Domain control-based device activation method, system and readable storage medium | |
| CN115604315A (en) | Remote processing device and method of server and electronic equipment | |
| CN115604028A (en) | Cloud server data security protection system | |
| CN111905361B (en) | Game service system, game processing method, storage medium and device | |
| CN114331445A (en) | API (application programming interface), method, storage medium and electronic equipment for accessing massive users | |
| CN114329444A (en) | System safety improving method and device | |
| US20140059661A1 (en) | Management device, computer-readable recording medium, and management method | |
| CN111581613A (en) | Account login verification method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |